Hi.I'm using auth-method Form for authentication on my web application. This worked fine , I can verify my current user byrequest.getUserPrincipal()or check the roles with the isUserInRole method. Now I need access to a Subject Object of this user. My question is, the subject was created in the login process with principal object? If so, how can I get the Subject ?If I call LoginContext I will not be doing another unecessary login?

You cant really, as it is dicarded in the process, sorry. You get null because in the executing context no subject is set. =)

The authentication does not affect the Java systems level security layer.

The JASS login Realm will have authenticated using the tomcat callbackhandler and returned the subject.getPrincipal to the Form Authenticator which has stuffed it in the request session.

From experience in web servers you need to do something called a access context switch. After looking at the code in tomcat this seems impossible.

If later versions 5.05 or perhaps the Jboss version, you would need to write or find a Filter or Valve which gets the subject out of the session and calls Subject.doAs(session.getAttribute("sum_random_subject_key" , PA{ run { chain.forward

You could write a logincontext which trusts you (the caller) and returns a Subject

Then the code actually runs as who it is logged in as. I have had to write a security context switcher for jetty and tomcat in the past.

I don't know if this is now standard in the later releases. Good luck.

Just an anfter thought. If you subclass realm and genericprincpal and add a principal.getSubject() method then return the origional subject. Then you can get it from ((MYPrincipal)request.getPrincipal()).getSubject()

This is what jboss appear to have done. so if you happen to have authenticated an instanceof JBossGenericPrincipal you can call getSubject

The Principal returned by the request is a SimplePrincipal, it doesn't have the getSubject method :(

I discovered that the subject is in the JNDI tree:ctx.lookup("java:/comp/env/security/subject");

another interesting thing is that if I create the subject myself by using the LoginContext , no subject is placed in the jndi context.I'm not very confident with the jndi solution yet, but it looks like it works. I will take a look in the valves of tomcat too waren!